Why Iframe dosen't work for yahoo.com

I find this doesn’t work:

<iframe src="https://www.yahoo.com"> </iframe>

I have read this question, but I don’t understand what they mean by add:

header('X-Frame-Options: GOFORIT'); 

I tried to add this to the top of my html file(change it to php file, of course), and my php file became:

header('X-Frame-Options: GOFORIT'); 
<iframe src="https://www.yahoo.com"> </iframe>

I run it in my appserv(with php 5.2.6), and it doesn’t work. Could anybody explain what should I do exactly to overcome this?

Here is Solutions:

We have many solutions to this problem, But we recommend you to use the first solution because it is tested & true solution that will 100% work for you.

Solution 1

You’re out of luck: yahoo.com doesn’t allow you to embed their site in an iframe. Nor does facebook or other popular sites.

The reason for this restriction is clickjacking.

You can verify this by checking the response headers from their site; they specify X-Frame-Options:SAMEORIGIN which means only yahoo.com can embed yahoo.com pages.

Some older browsers won’t enforce the header but all new ones will. Afaik, there’s no simple way around it.

The only solution I can think of is implementing a proxy script, i.e. you embed a script that lives on your server that fetches the remote content for you.

Eg. your iframe calls “/my-proxy.php?url=http://www.yahoo.com/” and that script would look like:


header('X-Frame-Options: SAMEORIGIN'); // don't allow other sites to use my proxy
echo file_get_contents($_GET['url']);

Your mileage may vary…

Solution 2

You’re having issues with Cross-origin resource sharing. Read these Wikipedia CORS and MDN CORS articles.

As for your snippet,

  header('X-Frame-Options: GOFORIT'); 

needs to be added to the page being served and not to the page/code requesting it, which in this case would be yahoo.com. But as you don’t serve yahoo.com yourself, there is no way of adding it.

However if the question was regarding your own pages and yahoo.com was just an example, you can simply set correct HTTP headers as specified in the articles, and you’d be good.

Solution 3

Some websites like google, yahoo have been disabled the iframe embedding for their site. If you want to do that then grab their html using curl or file_get_conents on server side and show it.

check the HTTP response header X-Frame-Option. I think for yahoo it should be deny or sameorigin that means only the page of yahoo can embed its other pages in iframe

Solution 4

Add ‘Ignore X-Frame headers‘ plugin in google chorme then its working fine.

Note: Use and implement solution 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply